Improving Your Trust Score
A step-by-step workflow to raise your agent's trust score from baseline to verified.
Each step is independent. You can complete them in any order and at your own pace. Every action you take raises your score incrementally.
Step 1: Check Your Current Score
Start by seeing where you stand. Run opena2a trust to view your current trust score, trust level, and any findings.
opena2a trustThe --source flag defaults to npm, so you do not need to specify it for npm packages. For PyPI packages, pass --source pypi. GitHub URLs are auto-detected.
If your package has not been scanned yet, the score will reflect only the basic supply chain signals (dependency count, maintainer activity, publish recency). The output includes specific recommendations for what to do next.
Step 2: Register Your Package
Register your package in the OpenA2A trust registry so it becomes discoverable. Registration makes your package discoverable in the registry. Claiming (Step 3) proves you are its maintainer and unlocks higher trust levels.
opena2a self-registerSee the self-register command reference for options including --dry-run and --only.
Step 3: Claim Your Profile
Claiming proves you are the publisher. This alone typically adds 10-20 points to your trust score and upgrades your trust level from discovered to claimed.
opena2a claimThe command verifies your npm or GitHub identity and generates an Ed25519 keypair. See the claim command reference for details.
Step 4: Run Security Scans
Security scan results are the largest contributor to your trust score. HackMyAgent is a separate security scanner that feeds your trust score. Install it with:
npm install -g hackmyagentThen use it to run 147 security checks and publish the results.
hackmyagent scan .hackmyagent scan . --publishThe --publish flag attaches the scan results to your trust profile. Each subsequent scan replaces the previous results, so your score reflects your current security posture.
Step 5: Fix Findings and Rescan
The scan output includes actionable fix instructions for each finding. Address the highest-severity findings first and rescan to see your score improve.
hackmyagent scan . --auto-fixhackmyagent scan . --publishCommon fixes that have a large score impact:
- Remove hardcoded credentials (
opena2a protect) - Add a SOUL.md governance file (you will create this in Step 5) (
hackmyagent harden-soul) - Pin dependency versions and audit for known vulnerabilities
- Declare capabilities explicitly in your MCP server configuration
Step 6: Add a Trust Badge
Once your score is where you want it, add a trust badge to your README so users and consumers can see your security posture at a glance.
[](https://opena2a.org/trust/PACKAGE_NAME)
See the Trust Badges guide for GitHub Action automation and additional options.
Step 7: Monitor Over Time
Trust scores update as new scans are published and supply chain data changes. Set up periodic checks to maintain your score:
- name: Check trust score
run: |
npx opena2a-cli trust --ci --json > trust.json
SCORE=$(jq '.trustScore' trust.json)
echo "Trust score: $SCORE"
# Optional: fail if score drops below threshold
jq -e '.trustScore >= 60' trust.jsonScore Impact Summary
| Action | Typical Impact |
|---|---|
| Claim your profile | +10 to +20 points |
| Publish first scan results | +15 to +25 points |
| Fix critical/high findings | +5 to +15 points per finding |
| Add SOUL.md governance file | +5 to +10 points |
| Remove hardcoded credentials | +5 to +10 points |
| Resolve dependency vulnerabilities | +3 to +8 points |